← voltar
CVE-2025-32426

Formie has a XSS vulnerability for email notification content for preview

CVSS 4.6 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.6EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
11 abr 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Produtos afetados
verbb · formie

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww